Embed Size (px)
Citation preview
Midterm Review
IS Auditing
Classes of Things You have Learned
Concepts: Things you need to know before you perform an audit. These are theories, frameworks and facts that underlie and motivate your activities.
Activities and Tasks: Things you (as an auditor) need to do in conducting an IS Audit
Tools: Used to perform an audit. These provide the tangible items, spreadsheets, documentation, etc. that support the activities and tasks.
Concepts
Things you need to know before you perform an audit. These are theories,
frameworks and facts that underlie and motivate your activities
What is Auditing
And where does IS Auditing fit into the General Audit?
The purpose of an audit is to render an audit opinion see the next few slides, which will show you that:
Internal control is more important today than an accurate balance sheet
Information systems auditing of one sort or another represent the main responsibility of an audit
Because most of the attestations relate to internal controls over transactions that are being processed by
computers
Old Style Audit Opinion (UK) Plain and Simple
OpinionIn our opinion the financial statements give a true and fair view of the state of affairs of the Company and the Group as at December 31, 2004 and of the profit of the Group for the year then ended; and the financial statements and the part of the directors’ remuneration report to be audited have been properly prepared in accordance with the Companies Act 1985.
KPMG Audit PlcChartered Accountants, Registered AuditorLondonFebruary 9, 2005
Management’s letter: after Sarbannes-Oxley Report of Management on Internal Control Over Financial Reporting We, the management of Verizon Communications Inc., are responsible for establishing and
maintaining adequate internal control over financial reporting of the company. Management has evaluated internal control over financial reporting of the company using the criteria for effective internal control established in Internal Control – Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission.
Management has assessed the effectiveness of the company’s internal control over financial reporting as of December 31, 2004. Based on this assessment, we believe that the internal control over financial reporting of the company is effective as of December 31, 2004. In connection with this assessment, there were no material weaknesses in the company’s internal control over financial reporting identified by management.
The company’s financial statements included in this annual report have been audited by Ernst & Young LLP, independent registered public accounting firm. Ernst & Young LLP has also issued an attestation report on management’s assessment of the company’s internal control over financial reporting.
Ivan G. SeidenbergChairman and Chief Executive Officer
Doreen A. TobenExecutive Vice President and Chief Financial Officer
David H. BensonSenior Vice President and Controller
Statement of Audit Scope and Responsibilities
To The Board of Directors and Shareowners of Verizon Communications Inc.: We have audited management’s assessment, included in the accompanying Report of Management on Internal Control Over Financial
Reporting, that Verizon Communications Inc. and subsidiaries (Verizon) maintained effective internal control over financial reporting as of December 31, 2004, based on criteria established in Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (the COSO criteria). Verizon’s management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal control over financial reporting. Our responsibility is to express an opinion on management’s assessment and an opinion on the effectiveness of the company’s internal control over financial reporting based on our audit.
We conducted our audit in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our audit included obtaining an understanding of internal control over financial reporting, evaluating management’s assessment, testing and evaluating the design and operating effectiveness of internal control, and performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.
A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.
In our opinion, management’s assessment that Verizon maintained effective internal control over financial reporting, as of December 31, 2004, is fairly stated, in all material respects, based on the COSO criteria. Also, in our opinion, Verizon maintained, in all material respects, effective internal control over financial reporting as of December 31, 2004, based on the COSO criteria.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States), the consolidated balance sheets of Verizon as of December 31, 2004 and 2003, and the related consolidated statements of income, cash flows and changes in shareowners’ investment for each of the three years in the period ended December 31, 2004 and our report dated February 22, 2005 expressed an unqualified opinion thereon.
Ernst & Young LLPNew York, New York
February 22, 2005
Report of Independent Registered Public Accounting
Firm on Financial Statements Audit Opinion To The Board of Directors and Shareowners of Verizon Communications Inc.: We have audited the accompanying consolidated balance sheets of Verizon Communications Inc. and subsidiaries
(Verizon) as of December 31, 2004 and 2003, and the related consolidated statements of income, cash flows and changes in shareowners’ investment for each of the three years in the period ended December 31, 2004. These financial statements are the responsibility of Verizon’s management. Our responsibility is to express an opinion on these financial statements based on our audits.
We conducted our audits in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audits provide a reasonable basis for our opinion.
In our opinion, the financial statements referred to above present fairly, in all material respects, the consolidated financial position of Verizon at December 31, 2004 and 2003, and the consolidated results of their operations and their cash flows for each of the three years in the period ended December 31, 2004, in conformity with U.S. generally accepted accounting principles.
As discussed in Note 2 to the consolidated financial statements, Verizon changed its methods of accounting for directory revenues and expenses, stock-based compensation and asset retirement obligations effective January 1, 2003.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States), the effectiveness of Verizon’s internal control over financial reporting as of December 31, 2004, based on criteria established in Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission and our report dated February 22, 2005 expressed an unqualified opinion thereon.
Ernst & Young LLPNew York, New York
February 22, 2005
AuditingSchematic
E x ter n a l R ea lW o r ld E n tit ies
an d E v en ts th a tC r ea te an d
D es tr o y Valu e
Au d it R ep o r t /O p in io n
J o u r n a l E n tr ies
'O w n e d ' A s s e t sa n d Lia b ilit ie s
R ep o r ts :S ta tis t ic s
I n te r n a lO p er a tio n so f th e F ir m
Ac c o u n tin gS y s tem s
Au d itP r o g r am
T r an s ac tio n s
T ra n sa c tio n s
The P hys i c al W o r l d
The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng
L ed g er s :D atab as es
Audi t i ng
C o r p o r a te L aw
Su b
stan
tiv e
Te s
ts
Te st s o f T
ran sa c ti o n s
Attes ta tion
A n a ly tic a l T ests
IS Assets
Central Processing Unit
MemoryPeripheral Processor
(Video, Bus, Etc.)Network Devices
RAM / ROMOptical &
Magnetic Media
Operating Systems
Specialized O/S
Utilities
Network O/S Database O/SProgramming Languages,
Tools & EnvironmentsUtilities and Services
Applications
How Auditors Should Visualize Computer Systems
Bu s in es s Ap p lic a tio nS y s tem s
T r an s ac tio n F lo w s
As s e t L o s s R is k s( I n te r n a l Au d its )
R ep o r tin g R is k s( E x ter n a l Au d it)
C o n tr o l P r o c es s R is k s( I n te r n a l & E x ter n a l
Au d its )
O p er a tin g S y s tem s( in c lu d in g D BM S , n e tw o r kan d o th er s p ec ia l s y s tem s )
Har d w ar e P la tf o r m
Ph y s ica l a n d L o g ica lS e cu rity En v iro n m e n t
A u dit O bje ct iv e s
IS AssetsThe main categories of Computer Applications, and their relative importance
InformationTechnology Market
Annual Expenditures($US billion)
Employees(thousand)
Major Suppliers
Operations & Accounting 500 2000 US, India
Search & Storage 1000 5000 US
Tools 300 300 US, Germany
Embedded 1500 700 US, Japan, Korea, Greater China
Communications 700 2000 US, Germany, Japan, Greater China
Total 4,000 10,000 GWP ~$45 trillion (Pop: 6 billion)
US GDP ~$10 trillion (Pop: 300 million)
The IS Auditor’s Challenge
Corporate Accounting is in a constant state of flux Because of advances in Information Technology applied to
Accounting Information that is needed for an Audit is often hidden from
easy access by auditors Making computer knowledge an important prerequisite for
auditing
IS (and also just Information) assets are increasingly the main proportion of wealth held by corporations
The Challenge to Auditing Presented by Computers
Transaction flows are less visible Fraud is easier Computers do exactly what you tell them
To err is human But, to really screw up you need a computer
Audit samples require computer knowledge and access Transaction flows are much larger (good for the company, bad for the
auditor) Audits grow bigger and bigger from year to year
And there is more pressure to eat hours Environmental, physical and logical security problems grow
exponentially Externally originated viruses and hacking are the major source of risk
(10 years ago it was employees)
The Challenge to Auditing Presented by The Internet
Transaction flows are External External copies of transactions on many Internet nodes External Service Providers for accounting systems
require giving control to outsiders with different incentives
Audit samples may be impossible to obtain Because they require access to 3rd party databases
Transaction flows are intermingled between companies
Environmental, physical and logical security problems grow exponentially Externally originated viruses and hacking are the major source of risk
(10 years ago it was employees)
Utility Computing
Service Organizations like EDS Are in the business of running IS shops Only the transactions are handled by the client
They are being replaced by Utility Computing Which is an outgrowth of software vending business
models Particularly those of Oracle, SAP and Salesforce.com
Utility Computing
Why do firms choose Utility computing?
Utility computing offers greater flexibility in the creation of computing
environments when they are needed. It opens up usage-based pricing and reduces users' use of capital.
Utility Computing allows an organization to have the ability to
harness latent computing power and resources, regardless of
application or other physical or organizational boundaries. It allows an organization to virtually repurpose operating systems,
application mix, processing power, and storage to the immediate needs
of the corporation, to meet new demand or to rapidly create computing
environments for projects.
Utility Computing
Pervasiveness of Utility Computing
Recent moves like Oracle's acquisition of Siebel, And The growing popularity of software-as-a-service vendors like
Salesforce.com are indicators that the software industry is tilting toward an on-demand
future
Still, on-demand services are likely to account for less than 10 percent of business application use through 2010 (Gartner)
The reason why the on-demand model is not suitable for complex business uses like logistics
support and order handling nor for large complex companies requiring business process support
But the "complexity constraint bar" will rise over time since on-demand vendors can add functionality easily
Utility Computing
Consequences: Control of Data and Programs
Copies of data outside the organization Accounting transactions (fraud, loss, alteration) Personnel and customer records (privacy, theft)
Operation of programs may be less well understood since there are no in-house experts This may lead to more audit exceptions
Ideas, not Things, have Value … and these ideas are tracked in the computer
0
2
4
6
8
10
12
14
16
Rank order by increasing return
Ass
et In
tens
ity (F
ixed
Ass
ets
/ Sal
es)
-100
0
100
200
300
400
500
600
5-yr
Sha
reho
lder
Ret
urn
%
How Accounting has had to ChangeBecause of Business Automation
M an u f ac tu r in gValu e Ad d ed
C o n s u m er
M ater ia lL ab o r
C ap ita l
5 0 %
3 0 %
2 0 %
1 1 0 %
M an u f ac tu r in gValu e Ad d ed
C o n s u m er
M ater ia lL ab o r
C ap ita l
5 %
5 %
1 0 %Kn o w led g eI n teg r a to r
Kn o w led g eI n teg r a to r
Kn o w led g eI n teg r a to r
Kn o w led g eI n teg r a to r
K n o w led g e B as e (u n certainclaim s , co n t rib u t io n s an d
p ro p erty rig h t s )
8 0 %
11 0 %
M an u fac tu ring
S p ec if ica tio n s
F in ished
P ro d u c t 2 0 %
Activities and Tasks
Internal Controls are of Two Types
1. Preventing, Detecting and Correcting Errors & Omissions to Transactions
1. Typically the most important transaction flows are1. Sales, Cost of Goods Sold, S,G & A Expense, Collections,
Disbursements (look at your financial statements)2. These controls are built into the accounting functions (and you
may have learned some of them in your accounting classes)1. i.e., programmed into accounting software2. Increasingly this software is run by outside firms
1. E.g., Salesforce.com for Sales
2. Preventing, Detecting and Prosecuting Security Breaches causing loss or damage of Assets
1. Your computer inventory will identify the main IS Assets at risk
Security Controls
What is Security?
Security involves: the protection of a person, property or organization from attack. Knowing the types of possible attacks, being aware of the motivations for attacks and your relationship to those
motives. Proper security
makes it difficult to attack, threatens counter-measures, or make a pre-emptive attack on a source of threat.
IS Security is a collection of investments and procedures that: Protect information stored on computers Protect Hardware and Software assets From theft or vandalism by 3rd parties
Security Controls
SecurityWhat is a Lock & Key?
Lock is a security system The key is its password Keys used to be worn visibly around the neck
As a sign of authority (similar to employee badges today) Newer Technology
Badges and electronic keys Biometrics (M-28 fingerprint lock at right) Remote controls (Lexus keys)
Almost All Security Controls use the Lock & Key paradigm Authorization system = Who gets a Key (And Why?) Password, etc. = Key Encryption algorithms, SSL, etc. = Lock
Security Controls ‘Keys’ are just another Security Policy
A security policy establishes what must be done to protect information stored
on computers
Keys are physical manifestations of “Authorization” Issuance and control of keys are just part of the
authorization scheme.
Security Controls Effective security policy
An effective security policy also protects people. Anyone who makes decisions or takes action in a situation where
information is a risk incurs personal risk as well. A security policy allows people to take necessary actions without
fear of reprisal. Security policy compels the safeguarding of information,
while it eliminates, or at least reduces, personal liability for employees.
Security Controls Effective security policy
Security policy defines the organization’s attitude to Assets, and announces internally and externally which assets are mission
critical Which is to be protected from unauthorized access, vandalism and
destruction by 3rd parties Effective information security policies
Will turn staff into participants in the company’s security The process of developing these policies will help to define a
company’s assets
Security Controls Why Do You Need Security Policy?
A security policy should Protect people and information Set the rules for expected behavior by users, system
administrators, management, and security personnel Authorize security personnel to monitor, probe, and investigate Define and authorize the consequences of violation
Security Controls Where to apply controls (i.e., Security Policies)
Entry into Computer Crime
This flowchart describes the points at which Control Processes may be created to stop criminals
Controls may: Prevent access to the asset Detect asset access Correct the problems or
losses after an illicit access Remember that criminals
specialize in one type of crime
Personal Background
Learning Skills to Commit Crime
Reaction to Chance Event
Motives
Choose "Best" Option
Decision / Action Matrix
Select Asset
Don't Select
Commit Crime Don't Commit
• Unfamilar • Not enough valueN/A
• Face Penalties • Enjoy Rewards
• Too Hard • Monitored
PremeditatedUn-premeditated
Security Controls Why Prevention is more important that Detection and Correction…Bringing a computer crime to court
Step Potential Terminal Outcome
Crime committed Not detectedReported Not investigatedInvestigation UnsolvedArrest Released without prosecutionBooking Released without prosecutionPreliminary appearance in court Charges dropped or dismissedBail or detentionAdjudication Arbitration, Settled "Out of Court"Arraignment Charge dismissedTrial AcquittedSentencing AppealSentencing ProbationSentencing Prison
Tools for IS Audits
Tool Categories
E x ter n a l R ea lW o r ld E n tit ies
an d E v en ts th a tC r ea te an d
D es tr o y Valu e
Au d it R ep o r t /O p in io n
J o u r n al E n tr ies
'O w n e d ' A s s e t sa n d Lia b ilit ie s
R ep o r ts :S ta tis t ic s
I n te r n a lO p er a tio n so f th e F ir m
Ac c o u n tin gS y s tem s
Au d itP r o g r am
T r an s ac tio n s
T ra n sa c tio n s
The P hys i c al W o r l d
The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng
L ed g er s :D atab as es
Audi t i ng
C o r p o r a te L aw
Su b
s tan
tiv e
Tes
ts
Te st s o f T
r an s a ct i o n s
Attesta tion
A n a ly tica l T e sts
Internal Control Tests (Tests of Transactions) Transaction errors and ommissions Internal control procedures Most IS Auditing is in this Category
Substantive Tests (Asset Balances and Expenses) Physical Inventory A/R Confirmations
Analytical Tests Ratio Tests
Central Processing Unit
MemoryPeripheral Processor
(Video, Bus, Etc.)Network Devices
RAM / ROMOptical &
Magnetic Media
The IS Inventory Records all of the Firm’s IS Assets
Operating Systems
Specialized O/S
Utilities
Network O/S Database O/SProgramming Languages,
Tools & EnvironmentsUtilities and Services
Applications
The Information Systems Asset inventory
Hardware, Software, Communications and Databases (and perhaps printers, copiers and fax machines)
These point the direction to: Transaction Flows (Sales, COGS, Collections, etc) Applications Internal Controls
Both are where most of the auditing takes place
The Inventory of Major Transaction Flows and Applications is the Basis for the Risk Assessment Matrix
How Auditors Should Visualize Computer Systems
Bu s in es s Ap p lic a tio nS y s tem s
T r an s ac tio n F lo w s
As s e t L o s s R is k s( I n te r n a l Au d its )
R ep o r tin g R is k s( E x ter n a l Au d it)
C o n tr o l P r o c es s R is k s( I n te r n a l & E x ter n a l
Au d its )
O p er a tin g S y s tem s( in c lu d in g D BM S , n e tw o r kan d o th er s p ec ia l s y s tem s )
Har d w ar e P la tf o r m
Ph y s ica l a n d L o g ica lS e cu rity En v iro n m e n t
A u dit O bje ct iv e s
Risk Assessment Database
The Risk Assessment Database takes The IS Asset Inventory, then Determines the major Transaction Flows, then Determines the major classes of Internal Control Risk for each
this should be a Dollar estimate of Expected Loss
Asset (Ex 2.1) Risk Assessment (Ex. 2.2 with improvements)
Primary OS OwnerApplication
Asset Value ($000,000 to Owner)*
Transaction Flow Description
Total Annual Transaction Value Flow managed by Asset($000,000)* Risk Description
Probability of Occurrence (# per Year)
Cost of single occurrence ($)
Expected Loss
Win XPReceiving Dock A/P 0.002
RM Received from Vendor 23 Theft 100 100 10000
Win XPReceiving Dock A/P 0.002
RM Received from Vendor 23
Obsolescence and spoilage 35 350 12250
Audit Programs
Every major Internal Control risk on the Matrix is given a set of Tests in the Audit Program
This is where audit programs come from.
Audit programs are checklists of the various tests (audit procedures) that auditors must perform within the scope of their audits to determine whether key controls intended to mitigate significant risks are functioning as designed.
Objective To determine the adequacy of the controls over the particular
accounting processes covered by the audit program This is fundamentally what the assurance and attestation aspects
of the audit are expected to achieve during the ‘tests of transactions’ or mid-year or internal control tests
Audit Programs The objective
The reason for an audit is to write an opinion: Saying stock price is fairly stated (external) Control processes are effective (internal & external) Assets are not at risk of theft or damage (internal)
We only need to identify computer systems where one of more of these objectives is affected
Audit Programs Benefits
The use of audit programs is fairly standard for audit firms, and is considered good business practice. List three (3) benefits to the audit firm of using an audit program The improve resource planning (where to spend money and
employ people on an audit) They promote consistency from year to year when personnel and
situations of an audit change Prior years’ programs are the basis for the current year’s audit
procedures Anything else that seems reasonable
Audit Programs Control assessment
Information systems audit programs should assess the adequacy of controls in four (4) areas.
1. Environmental controls
2. Physical security controls
3. Logical security controls
4. IS operating controls
Flowcharting Accounting Systems
Each bubble is associated with a person or entity that is responsible for that processThe same individuals with:
Managerial ControlAccountabilityResponsibility for the process
Should all be responsible for the same bubble
Flowcharting Accounting Systems
A data flow diagram
Data Flow Diagram Notations
Flowcharting Accounting Systems
A process transforms incoming data flow into outgoing data flow.
Flowcharting Accounting Systems
Datastores are repositories of data in the system.
They are sometimes also referred to as databases or files.
Flowcharting Accounting Systems
Dataflows are pipelines through which transactions (packets of information) flow.
Label the arrows with the name of the data that moves through it.
Flowcharting Accounting Systems
External entities are entities outside the firm, with which the accounting system communicates E.g., vendors, customers,
advertisers, etc.
External entities are sources and destinations of the transaction input and output
Flowcharting Accounting Systems
The Context diagram lists all of the external relationships
Flowcharting Accounting Systems …Levels
Context
known as Level 0) data flow diagram. It only contains one process node (process 0) that generalizes the function of the entire system in relationship to external entities.
DFD levels
The first level DFD shows the main processes within the system.
Each of these processes can be broken into further processes until you reach the level at which individual actions on transaction flows take place
If you use SmartDraw Drawing Nested DFDs in SmartDrawYou can easily nest data flow diagrams in SmartDraw. Draw the high-level diagrams first, then select the process you want to expand, go to the Tools menu, and select Insert Hyperlink. Link the selected process notation to another SmartDraw diagram or a web page.
The Datastore
The Datastore is used to represent Ledgers, Journals
Or more often in the current world Their computer
implemented counterpart Since almost no one keeps
physical records
Flowcharting Accounting Systems …Lower Level with Multiple Processes
Data Flow Diagram Layers Draw data flow diagrams in
several nested layers. A single process node on a
high level diagram can be expanded to show a more detailed data flow diagram
Authorizations & Security Policy Strategy Policy
Strategy defines the way that Top Management achieves corporate objectives
Policy is a written set of procedures, guidelines and rules Designed to accomplish a
subset of strategic tasks By a particular subgroup of
employees
Env ironmenta lCompetitiv e
Interna l Financ ia lIn terna l
Non- f inanc ia l
Prof itab ilityEf f ic ienc y
Grow thSurv iv a l
QuantityQuality
Cos tTime
Manpow erMoney
Mac hinesMethodsMater ia ls
PlanOrganiz eA c tuateContro l
I n fo rm a t io n I n pu ts O u tpu ts O bje ct iv e sM a n a g e r A ct io n
In form ation System
Inform ation System s
Inf ormation Sy s tem
Inform ation System
The Three Elements of Policy Implementation
Standards – Standards specify the use of specific technologies in a uniform way. The example the book gives is the standardization of operating procedures
Guidelines – Similar to standards but are recommended actions
Procedures – These are the detailed steps that must be performed for any tasks.
What’s in a Policy Document
Governing Policy
Should cover Address information security policy at a general level define significant concepts describe why they are important, and detail what your company’s stand is on them
Governing policy will be read by managers and by technical custodians
Level of detail: governing policy should address the “what” in terms of security policy.
Governing Policy Outlinemight typically include
1. Authentication 2. Access Control 3. Authorization 4. Auditing 5. Cryptography 6. System and Network Controls 7. Business Continuity/Disaster Recovery 8. Compliance Measurement
Technical Policies
Used by technical custodians as they carry out their security responsibilities for the system they work with.
Are more detailed than the governing policy and will be system or issue specific, e.g., AS-400 or physical security.
Technical Policy Outline might typically include
1. Authentication 2. Authorization 3. Auditing 4. Network Services 5. Physical Security 6. Operating System 7. Business Continuity/Disaster Recovery 8. Compliance Measurement
User Policies
Cover IS security policy that end-users should ever have to know about, comply with, and implement.
Most of these will address the management of transaction flows and databases associated with applications
Some of these policy statements may overlap with the technical policy
Grouping all end-user policy together means that users will only have to go to one place and read one document in order to learn everything they need to do to ensure compliance with company security
User Policy Outline might typically include 1. User Access 2. User Identification and Accountability 3. Passwords 4. Software 5. System Configuration and Settings 6. Physical 7. Business Continuity Planning 8. Data Classification 9. Encryption 10. Remote Access 11. Wireless Devices/PDAs 12. Email 13. Instant Messaging 14. Web Conferencing 15. Voice Communications 16. Imaging/Output
